From reverse engineering several samples of mobile banking trojans, we observed the
presence of repetitive static artifacts that revealed valuable information for the
researchers that need to track and monitor the distribution of this
class of malicious apps. In addition to these artifacts, banking
trojans must unavoidably communicate with their operators in multiple
ways (e.g., phone, SMS, Web service), which guarantees another source
of interesting data.
Motivated by the high threat level posed by banking trojans and by
the lack of publicly available analysis and intelligence tools
targeted at mobile banking trojans, we automated the extraction of
such artifacts and created a malware tracker that we named
Droydseuss. Based on the aforementioned observations, Droydseuss
processes malware samples statically and dynamically, searching for
allocated relevant strings that contain traces of communication endpoints.
Then, it prioritizes the extracted strings based on the API functions that
manipulate them, giving more priority to strings used by phone- and web-related
functions. Droydseuss then uses frequent itemset mining to correlate
the endpoints so derived with descriptive metadata from the samples
(e.g., package name), providing aggregated statistics, raw data and
cross-sample information that allow researchers to pinpoint relevant
groups of applications.
We connected Droydseuss to the VirusTotal daily feed, consuming
Android samples that perform banking-trojan activity. In about 5
months it analyzed 1,605 samples. As a result, Droydseuss produces
publicly available blacklists of the extracted endpoints. In addition
to evaluating the performance of Droydseuss, we manually analyzed its
output and found supporting evidence to confirm its
correctness. Remarkably, the most frequent itemset revealed a
campaign currently spreading against Chinese and Korean bank
customers. Although motivated by mobile banking trojan tracking,
Droydseuss can be used to analyze the communication behavior of any
dataset of suspicious samples.